Musings About Network Security

I was recently asked to comment about security and virtual private networks (VPNs). I will start with an overall observation. At most sites today, there is insufficient security and it is happening by design — or, rather, by lack of attention to the problem. At most companies, the security policy has been reduced to "whatever has been implemented in the firewall." In fact, the opposite is supposed to be the goal — i.e., the firewall should implement the security policies of the company.

In a very general sense, there are five questions that should be kept in mind when formulating security policies:

1. What are you trying to protect? This sounds obvious, but try to answer the question! I deal with many companies where the very essence of the company is intellectual property that is wholly contained on a single server. Answering this question will allow you to focus your efforts.
2. From whom are you protecting it? This also sounds obvious but when considering the protection you need, it is an important question to answer. Is your major concern pedestrian attackers or well-funded, sophisticated government-sponsored or industrial espionage?
3. What is the likelihood of an attack and what kind of attack is most likely? Again, the answers here will help you gauge your site's exposure.
4. What are the possible results of an attack or compromise? The obvious answer is that someone will trash your server and your data will be lost. That, however, is actually almost innocuous; I mean, you do have backups, don't you? But consider an even more nefarious scenario: an attacker steals your data files or worse, alters them without your knowledge. The results of these attacks cannot be measured in mere dollars because the effect is not just the amount of hardware, software, and personnel time it takes to restore the site; consider the effect on your company's credibility and/or customer confidence. In some cases, a successful major attack on a company can put the company out of business.
5. How much protection can you afford? This question is always a major headache for network managers and CIOs. After determining what's at risk and gaining a real measure of the exposures and vulnerabilities, you can then take a stab at determining what kind of financial resources you should direct at the problem.

A last comment on this issue. There is a well-known "formula" that is used to measure a site's security risk:

A represents the asset value of the material you have placed on the network; A is always rising! T is the threat likelihood, which I believe is always changing; when you fire an employee, publish a paper about security (!), or do anything that calls attention to your company, your visibility goes up for a while and so does the potential threat. Finally, V is the vulnerability. This is the area you can really work on; the only way to minimize your risk is to reduce your vulnerability with security tools, policies, user education, and vigilance.

Some other issues for reflection:

• Your corporate security policies have to reflect the reality of the business as well as the workplace. They need to combine aspects of network operations, corporate policy, and user habits. The policy must evolve with the company. Just as information technology (IT) is now generally recognized as integral to the strategic goals of the company, security pollicies must be integral to IT. But also realize that Draconian policies and procedures won't work either; if tools are put in place that inhibit people's ability to work, they won't use them. Policies must be woven into the workplace, not imposed upon it!

• Cable modems and ADSL connections will provide home users with high-speed, 24x7 connectivity to the Internet. That is good. It also provides them with an IP address on a 24x7 basis. That is potentially bad. Home users should consider installing personal firewalls to protect their systems; there are many stories about home systems being hacked. If the industry does not address this problem proactively, too many users will get too many nasty surprises which could negatively impact the proliferation of cable modems and ADSL.

• TCP/IP, Unix, and Windows 9x/NT/2000 are not inherently secure. You can protect your systems and servers, but this requires real work and monitoring. Security cannot be done one time and then ignored. There are no secure sites on the Internet, only vigilant ones!

• There are many tools that should be employed to secure your site. Firewalls are a must, of course, and should be configured to block the launch of an outbound attack as well as to block an incoming one. Logging and auditing should be employed on all routers and servers; log analysis tools will help you interpret the information contained in these logs. Operating system vulnerability software should be regularly employed to test your systems against new forms of attack. Intrusion detectors can spot an attack in real-time.

And now, a final point. One of the hottest topics around today is VPN — virtual private network. VPNs are a wonderful tool for providing private network-like access over a public network. Today, most VPNs require an a priori relationship between user and server.

Although many users may not have not used a VPN to connect back to their corporate network, most have used a form of VPNs on the Internet. Even as you read this, we have electronic commerce and secure Internet transactions using certificates and public-key cryptography (PKC). Certificates provide a trusted way to bind a user identity and a public key. Increasingly, many VPN products are relying on certificates and PKC.

Eventually, I see the emergence of something that I will call a "virtual VPN" (you heard it here first!). Within a few years, I believe that individual certificates will become commonplace, allowing users the ability to access many new services, both public and private.

These musings don't even begin to scratch the surface of network security issues, but I hope that they make you think about the importance of this problem.

Gary C. Kessler is a frequent speaker at industry events in and out of Vermont. He is currently an Assistant Professor and progream coordinator of the Computer Networking major at Champlain College, and a board member if VTAC. He can be contacted at kumquat@sover.net.